Russia's Fancy Bear and Cozy Bear hacking groups are under the spotlight

Key Points
  • Cozy Bear and Fancy Bear are both linked to Russian intelligence agencies. 
  • On Thursday, Cozy Bear was accused Cozy Bear cyber spies of trying to steal coronavirus vaccine information from the U.S., Britain, and Canada. 
  • Russia denies the allegations. 
David Goddard | Getty Images News | Getty Images

Security officials have accused Russian hackers of trying to steal information about coronavirus vaccine research in the U.S., Canada and the U.K.

The U.S. Department for Homeland Security, the Cybersecurity Infrastructure Security Agency, the National Security Agency, Canada's Communications Security Establishment and the U.K.'s National Cyber Security Centre joined forces Thursday in accusing Russia of the hacking campaign.

"It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic," U.K. Foreign Secretary Dominic Raab said in a statement. "While others pursue their selfish interests with reckless behaviour, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health." 

Raab also said that he was almost certain that Russians sought to interfere in the U.K.'s general election in 2019 but he didn't point the figure at any specific group. Russia denied both of the allegations. 

Phishing for a cure

So who exactly was trying to steal the coronavirus vaccine? Well, security officials think they know.

There are two hacking groups that are thought to be linked to Russian spy agencies: one is Fancy Bear and the other is Cozy Bear.

In this case, the lesser-known Cozy Bear is said to be the main culprit. It is formally known as ATP29 where APT stands for advanced persistent threat.

Over the last few months, Cozy Bear hackers allegedly used spear phishing and custom malware software to try to extract files crucial to developing a vaccine.

"This latest campaign fits with their modus operandi of disruption, stealing intellectual property, and sowing distrust in democracy," said Andrew Tsonchev, director of technology at security firm Darktrace.

"We are at the stage where groups like this are able to send malicious emails that are impossible for humans to distinguish from genuine communication."

Cozy Bear is thought to be linked to Russia's foreign intelligence service, or the SVR RF, which collaborates with the country's Federal Security Service (FSB).

The U.K.'s NCSC said that Cozy Bear "almost certainly operates as part of Russian intelligence services," adding that it was 95% sure.

Kremlin spokesman Dmitry Peskov rejected the allegations Thursday, according to the state-owned TASS news agency.

"We do not have information about who may have hacked into pharmaceutical companies and research centres in Great Britain. We can say one thing — Russia has nothing at all to do with these attempts," he said.

Cozy Bear was involved in the hack on the Democratic National Committee (DNC) during the U.S. presidential election in 2016, according to security firm CrowdStrike.

Norway's PST security agency said Cozy Bear targeted Norway's Labor Party in 2017, as well as the country's defense and foreign ministries.

Ferocious Fancy Bear

Fancy Bear, more formally known as APT28, is more well-known than Cozy Bear.

It's believed to be the hacking division of the GRU, which is the main military foreign-intelligence service of Russia.

Like Cozy Bear, Fancy Bear was said to be involved in the hack of DNC servers during the 2016 U.S. election campaign.

Some of Fancy Bear's hackers were publicized by special counsel Robert Mueller following his investigation into Russian interference during the campaign.

In total, 12 agents were named and one of them is being sought by German officials for a cyberattack on the German Bundestag in 2015.